“Findings from the investigation show external unauthorized access to MSG’s payment processing system and installation of a program that looked for payment card data as that data was being routed through the system for authorization,” read the statement.

The compromised data included credit card numbers, cardholder names, expiration dates and internal verification codes from payment cards used to purchase merchandise, food and drink items at its venues.

According to MSG, customers who made such purchases between November 9, 2015, and October 24, 2016, at the following locations may have been affected: Madison Square Garden, the Theater at Madison Square Garden, Radio City Music Hall, Beacon Theater and The Chicago Theater.

The company noted the incident did not involve cards used on MSG websites, at the venues’ box offices or on Ticketmaster.

“In the last week of October 2016, as soon as the investigation found signs of external unauthorized access, MSG worked with … security firms to stop it and to implement enhanced security measures,” the statement said.

The NYC-based sports and entertainment company did not specify how many customers were impacted during the year-long incident.

However, it strongly encouraged customers to immediately report any fraudulent charges to card issuers and monitor bank statements closely.

“We recommend that you remain vigilant for incidents of fraud or identity theft by reviewing your account statements and free credit reports for any unauthorized activity,” advised MSG.

The company said it’s also working with law enforcement to further investigate the theft.